author…: Egidio Romano aka EgiX
mail…: n0b0d13s[at]gmail[dot]com
software link…: http://www.apprain.com/
[-] vulnerable code in /webroot/addons/uploadify/uploadify.php
$tempFile = $_FILES['Filedata']['tmp_name'];
//$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = "uploads/" . $_FILES['Filedata']['name'];
// $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
// $fileTypes = str_replace(';','|',$fileTypes);
// $typesArray = split('\|',$fileTypes);
// $fileParts = pathinfo($_FILES['Filedata']['name']);
// if (in_array($fileParts['extension'],$typesArray)) {
// Uncomment the following line if you want to make the directory if it doesn't exist
// mkdir(str_replace('//','/',$targetPath), 0755, true);
move_uploaded_file($tempFile,$targetFile);
echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
// } else {
// echo 'Invalid file type.';
// }
Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
[-] Possible bug fix:
include_once('…/…/…/app.php');
App::__Obj('appRain_Base_Core')->check_admin_login();
add this lines of code at the beginning of the script
[-] Disclosure timeline:
[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure
[-] Proof of concept: